- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 17 Oct 2012 22:28:55 +1300
- To: ietf-http-wg@w3.org
On 17/10/2012 10:00 p.m., Simon Pieters wrote: > On Wed, 17 Oct 2012 09:32:14 +0200, Mark Nottingham <mnot@mnot.net> > wrote: > >> Um, no. >> >> Not only will this retroactively make all intermediary caches >> non-conformant, it'll also make them completely useless, because of >> the large (and unnecessary) amount of variance in User-Agent headers. > > OK, I can see now that it would make them useless. > >> I understand there are security issues here caused by CORS, > > The security issue under discussion in the referenced thread would > materialize if browsers start allowing changing the User-Agent header > in XHR without sanitizing it. However, that's not the reason I sent > the email. The reason is that bz argued that intermediary caches are > broken, which they are for pages on the Web that vary but don't say > they vary, however that's not actually limited to the User-Agent > header and is not a valid reason to require intermediary caches be > useless instead of broken. > > Also see > http://lists.w3.org/Archives/Public/public-webapps/2012OctDec/0216.html Exactly. Vary is mandatory for resources with negitiated variations - even if it is the nasty "Vary: *". Servers which omit it while varying the representation are non-compliant with HTTP already - thus the broken complainants have no ground to stand on. However, if you were to propose an implicit Vary:ETag that would be another matter entirely and something I wholeheartedly support. Although the smart servers already do that anyway. AYJ
Received on Wednesday, 17 October 2012 09:29:36 UTC